A poorly configured Amazon S3 bucket has resulted in the disclosure by Walmart jewelry vendor MBM Company of 1.3 million customer records. The information was disclosed because the bucket was left open and publicly available to anyone who found it. The bucket included personal and account information, payment details, plain text passwords, and other information. It has yet to be determined if other MBM customers - HSN, Amazon, Overstock, Sears, Kmart, and Target – have also been impacted.
This has become a recurring theme: A third party fails to properly secure an Amazon bucket, or in some cases to employ even mediocre security measures, and customer information is openly disclosed online. Is MBM to blame here? Most certainly. Is Walmart responsible here? Absolutely. Should MBM’s other customers be concerned? Without a doubt. It can be difficult for a company to verify how a vendor properly secures its information; however, encrypting sensitive and personal information should always be a fundamental requirement.
The fact that this happened without any type of hack or breach activity somehow makes these events even more unacceptable. It’s negligence, plain and simple, to leave an S3 bucket containing this type of information open. The question is how was this allowed to happen? Obviously, MBM should have had better operational security controls in place, but what about their customers?
How a third party protects a company’s data is the primary focus of all third party risk programs. So, was this a failure of MBM to follow documented procedures, or the failure of Walmart to determine how MBM was protecting their customer data? We may never know the answer to that question and the reality that these events happen with such frequency suggests that companies are not taking appropriate measures to determine if vendors are properly protecting their customer’s data.
I understand that assessing third party compliance with data security controls is a complex and costly activity. However, protecting customer data should be a priority for everyone, regulated or not. Unfortunately, until companies are willing to make the commitment necessary to address these issues, customer data will continue to be at risk.